The Digital Operational Resilience Act (DORA) is a ground-breaking regulation by the European Union aimed at bolstering the information and communication technology (ICT) security of financial entities.

Entering into force on January 16, 2023, and set to apply from January 17, 2025, DORA establishes a harmonized framework for managing ICT risks across the financial sector. This regulation is binding across all EU member states and targets a wide range of financial entities, including banks, insurance companies, and investment firms, as well as ICT third-party service providers. For UK based banks who don’t have subsidiaries in the EU, DORA may not apply directly. However, the intent of legislating for operational resilience is shared by UK regulations.

DORA Background & Context

DORA addresses the critical need for financial institutions to enhance their operational resilience against ICT-related incidents. Historically, financial institutions managed operational risks primarily through capital allocation. However, DORA introduces comprehensive requirements for protecting, detecting, containing, recovering, and repairing capabilities against ICT-related disruptions. This is crucial as ICT incidents can jeopardise the stability of the entire financial system, regardless of capital adequacy for traditional risks.

The critical role of IT in  DORA compliance is well recognised. PWC stated “We view DORA simultaneously as a challenge and opportunity for financial entities and their critical ICT providers. The EU-wide uniform requirements of DORA mean that financial entities need to ensure they can manage a consistent maturity level of ICT and cyber resilience across all their EU operations.”

Business Reporter “Whether you operate in the EU or not, it’s worth thinking now about whether your organisation has good operational resilience or not.”

Put simply, to ensure compliance with DORA, businesses must focus on strengthening their network and cybersecurity postures.

DORA Implications

The clear starting point is developing robust IT Risk Management Frameworks. Well-chosen, resilient IT systems and tools can minimise the impact of ICT risks by continuously identifying potential threats and embedding protection and prevention measures. Anomalous activities can be promptly detected, and comprehensive business continuity and disaster recovery plans can be put in place to ensure quick recovery from ICT incidents.

A second step is to conduct regular digital operational resilience testing and assessments. Ampito’s RedSpam offering includes digital operational resilience testing services and tools that can identify any weaknesses or gaps that need mitigation.

For anyone managing digital infrastructure, recent high-profile incidents have highlighted the vulnerabilities inherent in dependence on a global technology provider rather than working with a trusted local partner who can provide a solution set that meets your specific requirements.

How Can We Help?

Ampito has, through our RedSpam service, provided proactive cybersecurity solutions for over 12 years. We work with a small range of best-in-class technology partners, and our team of experts understands the intricacies of safeguarding your digital assets.

Our RedSpam team can offer you personalised assessment of your current security posture, and will help you identify what you need to put in place to not only comply with DORA and other regulatory pressures, but also enhance your overall cybersecurity posture, ensuring resilience against the growing threats in the digital landscape.